Office 365 phishing campaign capable of bypassing MFA targets 10,000 organizations

Microsoft security researchers have uncovered a large-scale phishing campaign using HTTPS proxy techniques to hijack Office 365 accounts. The attack can bypass multi-factor authentication (MFA) and has targeted over 10,000 organizations as of September 2021.

The campaign’s goal appears to be Business Email Compromise (BEC), a type of attack that uses an employee’s email account to trick other employees in the same organization or external business partners into initiating fraudulent money transfers. According to the FBI’s Internet Crime Complaint Center (IC3), BEC attacks resulted in over $43 billion in losses between June 2016 and December 2021.

The Power of Adversary-in-the-Middle (AiTM) Phishing

Attacks observed by Microsoft began with victims receiving deceptive emails with malicious HTML attachments. Some emails posed as voicemail notifications and instructed users to open the attachments, redirecting them to pages simulating download progress, which then redirected them back to a deceptive Office 365 login page.

While this looks like a typical phishing attack, the backend implementation differentiates it. First, the user’s email address is encoded in the URL of the redirect page and is used to pre-fill the login field on the phishing pages. Second, the phishing sites themselves act as a proxy, pulling their content in real-time from the legitimate Office 365 login page.

The phishing pages were hosted on HTTPS-enabled domain names, some of which had names masquerading as Microsoft services. Essentially, the victim’s browser established a TLS connection with them and the site established a TLS connection with the real login page. Because the email address was auto-filled, the attackers were able to display the custom Office 365 login pages that victims were used to for their own organizations, making the attack more believable.

Since the phishing page acted as a proxy, it forwarded the user-entered credentials to the legitimate Office 365 site and then displayed the MFA prompt requested by the site in real-time. The aim was to complete the login process in real time and capture the user’s session cookie.

The session cookie is a unique identifier that websites set in browsers once an authentication process has successfully completed, in order to remember the user while navigating through the website without prompting them to re-authenticate.

“Our observation is that after a compromised account logged into the phishing site for the first time, the attacker used the stolen session cookie to authenticate to Outlook online (,” the Microsoft researchers said in their report. “In several cases, the cookies had an MFA claim, meaning the attacker used the session cookie to gain access on behalf of the compromised account, even if the organization had an MFA policy.”

This web-based man-in-the-middle phishing technique against authentication systems is not new, and there are several open-source toolkits that attackers can use to easily automate such phishing attacks. The toolkit used in this case is called Evilginx2 and has been around since 2018.

It’s worth noting that not all types of MFA can be circumvented by AiTM techniques. Solutions that conform to the FIDO 2 standard and rely on a key fob connected to the computer or a fingerprint sensor in a mobile device cannot be proxyed in this way. Even if the SMS-based or code-based solutions are vulnerable, using any form of MFA is always better than none at all, as it will block a variety of less sophisticated attacks, such as: B. Credential stuffing and other forms of password theft.

Microsoft also recommends enabling Conditional Access policies that check for compatible devices or trusted IP addresses before completing authentication, and continuous monitoring for suspicious logins from unusual locations, ISPs, or using non-standard user agents.

From phishing to BEC

After a successful compromise, attackers scoured the victim’s inbox for email threads mentioning financial transactions or invoices into which they could insert themselves and pose as the victim. Once they identified such a thread or fraud target based on previous communications, they created an email to that person or entity on behalf of the email account owner and set up an email filtering rule that would filter all future replies from that Correspondents automatically marked as read and archived it.

They also deleted the messages they sent from the Drafts, Sent, and Junk folders and checked in every few hours to check the archive folder for replies. “On one occasion, the attacker ran multiple fraud attempts simultaneously from the same compromised mailbox. Each time the attacker found a new fraud target, they would update the inbox rule they created to include the company domains of those new targets.”

In some cases, it took attackers as little as five minutes to identify a potential fraud victim who they could trick and send them messages from the compromised email. Sometimes the back-and-forth communication took days and there are indications that the scam was done manually.

Microsoft recommends organizations set up policies to monitor inbox rules that may have suspicious purposes or to trigger alerts for unusually high levels of email access events from untrusted IP addresses or devices.

Copyright © 2022 IDG Communications, Inc.

Leave a Comment

%d bloggers like this: